[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication Methods for LDAP - last call

To: ietf-ldapext@netscape.com, "'edguer@cs.loyola.edu'" <edguer@cs.loyola.edu>
Subject: RE: Authentication Methods for LDAP - last call
From: Steve Lloyd <steve.lloyd@entrust.com>
Date: Thu, 06 Aug 1998 12:04:54 -0400
Resent-date: Thu, 06 Aug 1998 09:12:19 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"aNd4C2.0.gn2.WNTor"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Now you see, this is the fun (or painful) thing about this thread.  I can
actually completely agree with your argument, but my conclusion is
completely different.  Specifically, I would argue that CRAM-MD5 MAY
be implemented in environments where scale and security are not
a concern and public key based authentication MUST be implemented
where they are.  Now, before you turn your flame thrower on, please read on.

I take John's point suggesting that we are in an infinite
rebuttal loop that (I hope) none of us really want.  Is the basis of
John's suggested compromise really that difficult to swallow?  
Is it simply a matter of wording?
To be more specific, I am more than willing to accept the MUST for
CRAM-MD5 and the SHOULD for public key as long as the proper
caveats (as previously suggested) are inserted into the document.

I recognize that we really need to bring this to closure.  Tim, Mark - how
do 
the co-chairs feel about this?  

Cheers,
Steve Lloyd
Entrust Technologies
steve.lloyd@entrust.com
613-247-3182

> ----------
> From: 	edguer@cs.loyola.edu[SMTP:edguer@cs.loyola.edu]
> Sent: 	Thursday, August 06, 1998 10:53 AM
> To: 	ietf-ldapext@netscape.com
> Subject: 	RE: Authentication Methods for LDAP - last call
> 
> > > Good grief. The argument set forth by you and some others essentially
> says
> > > don't worry about mass deployments, or the Internet, or real
> businesses
> > > that have more than ONE server, use a (by your own admission) weak
> security
> > > mechanism (CRM-MD5) because it is simpler to implement and better than
> > > passing clear text. This is bordering on the absurd. You will never
> > > convince me, Steve, Paul, and others that work on distributed systems
> of
> > > this argument.
> 
> Good grief.  The argument set forth by others does not say "don't worry
> about mass deployments".  The arguments set forth says that LDAP
> applications 
> that are not concerned with mass deployments should not have to worry
> about
> the huge overhead that a global infrastructure requires.  The others are
> saying that you don't deploy a nuclear weapon to kill a single mosquito.
> 
> The ability of X.500 and X.509 advocates to entirely miss the point that
> their solutions should not be MANDATORY for everyone and that just because
> there is a single MANDATORY method does not prevent people from offering
> additional OPTIONAL methods that are standardized and interoperable is
> bordering on the absurd.
> 
> > I also think that those who pronounce that 200,000 users on 1 LDAP
> > server should get a bit of reality into their argument. Does anyone on
> > this list that:
> > a) a 200,000 staff company running a commercial business will use 1 LDAP
> > server - that size of organisation will be distributed around - will
> > require redundant backups and will require connectivity to other
> > organisation's (trading partner) directory systems.
> >
> > b) this company wants to have a server system say 5 or 6 of them where
> > they have to replicate everything in one to everything in another - and
> > also with their trading partners.
> > eg. Please buy 5 LDAP servers and then get 5 people to keep them in
> > sync. 
> 
> I think that those who pronounce a requirement that all LDAP clients and
> server must support X.509 certificates and who say that the only way to
> replicate is using LDAP should get a bit of reality in their arguments.
> 
> There are many organizations that use LDAP as an interface to a
> traditional
> RDBMS.  They already have complete replication capabilities built into
> their database system and they don't need the wasted overhead of an LDAP
> or X.500 replication technique.
> 
> There are many people who don't want to share their databases with their
> trading partners, who are willing to use SPKI or non-LDAP based PKIX
> methods to exchange certificates (things associated with Secure DNS)
> while still using LDAP internally.
> 
> I have no problems with trying to build better tools and tools that can
> actually scale to the whole world.  I think those would be good things,
> but the fact that an airline needs a 747 to move people and cargo from
> New York to San Francisco, does not mean I have to buy one for my daily
> commute to work (just as the fact that you see a use for X.509 in LDAP
> does not mean I need them in my work and making them MANDATORY will force
> me to buy or implement them!).
>

Follow-Ups:
- Re: Authentication Methods for LDAP - last call
  - From: Tim Howes <howes@netscape.com>

Prev by Date: RE: Authentication Methods for LDAP - last call (mandatory CRAM-M D5)
Next by Date: RE: Authentication Methods for LDAP - last call
Index(es):
- Chronological
- Thread